nixos/clatd: init

3 files changed, 85 insertions, 0 deletions

diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md
index 0fd44f067331..ae8be5b5dd35 100644
--- a/nixos/doc/manual/release-notes/rl-2405.section.md
+++ b/nixos/doc/manual/release-notes/rl-2405.section.md
@@ -92,6 +92,8 @@ Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for Pi
 
 - [PhotonVision](https://photonvision.org/), a free, fast, and easy-to-use computer vision solution for the FIRST® Robotics Competition.
 
+- [clatd](https://github.com/toreanderson/clatd), a a CLAT / SIIT-DC Edge Relay implementation for Linux.
+
 - [pyLoad](https://pyload.net/), a FOSS download manager written in Python. Available as [services.pyload](#opt-services.pyload.enable)
 
 - [maubot](https://github.com/maubot/maubot), a plugin-based Matrix bot framework. Available as [services.maubot](#opt-services.maubot.enable).
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 29c373788c1f..6fd31c353d33 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -944,6 +944,7 @@
   ./services/networking/charybdis.nix
   ./services/networking/chisel-server.nix
   ./services/networking/cjdns.nix
+  ./services/networking/clatd.nix
   ./services/networking/cloudflare-dyndns.nix
   ./services/networking/cloudflared.nix
   ./services/networking/cntlm.nix
diff --git a/nixos/modules/services/networking/clatd.nix b/nixos/modules/services/networking/clatd.nix
new file mode 100644
index 000000000000..76e0c130ca46
--- /dev/null
+++ b/nixos/modules/services/networking/clatd.nix
@@ -0,0 +1,82 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  cfg = config.services.clatd;
+
+  settingsFormat = pkgs.formats.keyValue {};
+
+  configFile = settingsFormat.generate "clatd.conf" cfg.settings;
+in
+{
+  options = {
+    services.clatd = {
+      enable = mkEnableOption "clatd";
+
+      package = mkPackageOption pkgs "clatd" { };
+
+      settings = mkOption {
+        type = types.submodule ({ name, ... }: {
+          freeformType = settingsFormat.type;
+        });
+        default = { };
+        example = literalExpression ''
+          {
+            plat-prefix = "64:ff9b::/96";
+          }
+        '';
+        description = ''
+          Configuration of clatd. See [clatd Documentation](https://github.com/toreanderson/clatd/blob/master/README.pod#configuration).
+        '';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.clatd = {
+      description = "464XLAT CLAT daemon";
+      documentation = [ "man:clatd(8)" ];
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network-online.target" ];
+      wants = [ "network-online.target" ];
+      startLimitIntervalSec = 0;
+
+      serviceConfig = {
+        ExecStart = "${cfg.package}/bin/clatd -c ${configFile}";
+        startLimitIntervalSec = 0;
+
+        # Hardening
+        CapabilityBoundingSet = [
+          "CAP_NET_ADMIN"
+        ];
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateTmp = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectProc = "invisible";
+        ProtectSystem = true;
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_NETLINK"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@network-io"
+          "@system-service"
+          "~@privileged"
+          "~@resources"
+        ];
+      };
+    };
+  };
+}